cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

12176
Views
40
Helpful
14
Replies
rthawkcom
Beginner

RV042 Firewall does not block HTTPS banned domains

Firewall only searches URLs that start with "HTTP" and ignores all others.

Given a firewall configuration using the banned URL of "google.com", the router will act in the following manner: 

When the user goes to "http://www.google.com", the router will correctly, and in very BAD GRAMMER give "This URLs or Page has been blocked."  There is NO way to redirect the user to an internal web address OR to correct the poor English.

When the user goes to "https://www.google.com", the router lets the user go right on through!  What fire wall??

Hey Cisco!!  Here is a thought.  Hire some AMERICAN programmers who know how to code!!  It's been how many years now and we are STILL finding bugs??  The RV042 is just full of "Engrish".  At least hire an English speaker to correct all the English in it.  Hell, give me the source code and I will do it!!

14 REPLIES 14
Tom Watts
Advocate

Hi R.M this is not particularly a bug at all. For such a feature it would block all HTTPS or a reverse DNS would be required. Even a lot of top end routers cannot perform this function.

If you are dissatisified, you may look in to something like opendns.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I'm confused.  It still has to perform a session negotiation (handshake) before it goes encrypted.  It has to say "Hello" to the server.  Block it there.  Explain to me why it cannot do this?

If I see traffic on port 443 and the destination matches a banned URL.  It gets bocked.  Simple!  What do I not understand?

Ask the same question to every other vendor. Seriously... you won't find the feature hardly anywhere.

Unless you want to start editing host files, use OPENDNS otherwise throwing tantrums over this is really a waste of frustration and is really silly.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Not throwing a tantrum, but you do appear to be evading the question.  Is there a technical reason why HTTPS cannot be blocked in the same manner as HTTP?  Simple YES or NO will work.

If it cannot be done, then say "NO!  It cannot be done!".  Otherwise, what is the road block?

Even if we can't get that done.  Can we at least get rid of the "Engrish"??

It won't be done because you would need to make the DNS point to a broken entry for the desired domain.

Otherwise you need to block all IP ranges for the web service which will consequently break HTTP as well.

Or you can use service such as opendns...

I'm not evading the question, it was answered on my first post and second post. I fail to see evasion when it is 3 times now a solution provided to you...

"When the user goes to "https://www.google.com", the router lets the user go right on through!  What fire wall??

Hey Cisco!!  Here is a thought.  Hire some AMERICAN programmers who know  how to code!!  It's been how many years now and we are STILL finding  bugs??  The RV042 is just full of "Engrish".  At least hire an English  speaker to correct all the English in it.  ****, give me the source code  and I will do it!!"

This above quote is a tantrum which was pointless and fraught with ignorance.

Anyway, I am done posting here. Good night and please do some research before saying a bunch of "Engrish buggy crap doesn't work".

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Oh, you're absolutely right!  I am ignorant!  "This URLs or Page has been blocked."  Is perfectly fine English!  We should leave that in.

I can´t block the page https://www.facebook.com anyone can help or flat this router is junk and does not work

regards

Hi Alfredo, if you're classifying the RV042 as junk since HTTPS cannot block, please research all other vendors.

If you want a solution, use OPENDNS. I thought it is pretty clear in this topic but I guess it is not.

If you want to block something like https://whatever you need to black hole the DNS entry. The router doesn't have a fully supported DNS server (nor do most routers, even router that cost a bajillion dollars).

If you're unhappy with the product, you may implement your own DNS and manage your connections however you like. The router is not junk, the feature you desire it is a highly advanced and powerful feature that is generally not implemented nor supported by nearly all vendors except for a product that may be designed specifically for this feature.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom.  First off, thanks for taking the time to address these issues.   We are not trying to harasse or otherwise make your life difficult.  We  are just looking for answer to things which appear to be unusual to us,  and that does not appear to be happening.  Let's start over.

1. The router cannot block HTTPS domains.  Ok.  We get that part.  That being said naturally these questions follow:

     a. Well why can't we block it?  The initial call  to port 443 is unencrypted... so why not?  The destination URL is in  the packet right?  Do a simple match and redirect or just drop the  packet!  Yes, I get that other routers can't do it either, but this is  an ADVANCED router!  We are better than they are!  You have a work  around, cool that is an option... assuming the user isn't using Open  DNS, 4.2.2.2 or the like.  But instead of addressing this point you  simply deflect the question and point back to the work around.  Wouldn't  it be better to get someone who can explain WHY YOU CAN'T do this  instead of dancing around the issue like a politician?  Just saying,  would like SOMEONE to give a definitive NO so this can be put to rest.   Reciting the workaround does NOT answer the question!

     b. The router WILL NOT block HTTPS and that's final!   Ok fine!  You're  router, not like I can force you.  Now here is a thought!  Why not tell  people this??  Why not a little note like "This will NOT block HTTPS!"  so people will know!?  Then you won't be fielding these questions,  sounds like this would help you!  Look. We can even put it into engrish  so it matches the rest of the router "This not for the blocking of the  HTTPS!"  Which segways nicely into my second point!

2.  Advanced router?  That's a really hard sell Tom!  Your people can't  even use PROPER ENGLISH!!  "This URLs" isn't boosting my confidence  level any.  I'm thinking, "They can't even be bothered with getting a  native English speaker to correct the bad English... wonder what else is  broken??"

You know, if it was JUST that one  phrase, I give your team a pass on that.  It's hidden.  Easily missed...  but on the FRONT PAGE!?  Very front page and no one has noticed?  Or  cared?  "If you need guideline to re-configure the router, you may  launch wizard."  MORE ENGRISH!! Front freaking page!!  Has anyone NOT  noticed this?  THAT IS BAD ENGLISH!!  And what revision of the firmware  we are on now?  Why isn't this corrected?  My guess is because no one  gives a flying ****!!  That's why!!

So please!  Do  tell me more about the "kuality" control of this advanced router!!!  If  your people can't even fix something  as simple as bad grammar... why  would you expect me to assume everything else about the router works  properly???

Tom... I'm not attacking you.  I'm  simply pointing out some issues which I don't feel you are taking  seriously.  Stop defending these people!  What can you do to help us get  these issues fix this??

Hi R.M. The problem is most network professionals and aficionados do not require a break down on how things work or are capable of doing the research themselves.

But since you insist I will try my best to explain what is HTTPS and how it works.

HTTPS is not really a protocol. Instead it uses HTTP which employs SSL/TLS encryption. HTTPS signals your internet browser to use the added SSL/TLS encryption with the https:// request. HTTPS is a piggyback of HTTP. Your web browser trusts HTTPS websites based off the certificate authority otherwise you would be prompted if you trust the certificate or not.

When there is a HTTPS request, it uses port 443. When the request is sent, one of two things happens on the router level. You may A.) Block the domain (http) or B.) Block https, which will block HTTPS for every website.

The reason for this is, when the HTTPS request is sent, everything is encrypted. The headers, request, response. Commonly "simple" https is implemented. From your point of view, the router has nothing to do with this. This is the transaction between your browser and the server. The browser checks against the server certificate to verify it is trusted. There is a determination of which encryption is supported. The browser and server send each other a unique code. The browser and server use a mutual encryption to start talking.

The router's behavior is very simplistic and predictable. Block the entire website http or block all of https (443).

The short synopsis, there is nothing special the router could do, or in fact anyone can do to block HTTPS. There are work arounds such as blackholing. There is nothing special or particular about HTTPS. Since all it does is use HTTP then add SSL/TLS to encrypt. The router (any router really) cannot load and identify the certificates or break the encryption communication without breaking down the whole process for everything.

And a personal note. I "defend" the product because of posts exactly like yours, slurring untrue information and proclaiming foul because you do not understand. Posts like this do 2 things. #1 it is bad for business to people who don't know better and #2 It looks terrible for you to people who do understand. May be you do not understand but Cisco brand has a cult following and it is expected you are some level of network professional with some degree of understanding or ability to find information. If you're a do-it-yourselfer, non-network-guy, you should really let people know then they will talk to you at a level you should be able to understand. But getting edgy, trying to blast off on a product, it does absolutely nothing.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Sorry Tom,

    I think you're missing the point, and I have to agree, on some level, with the gripes in this post.  The server address is still resolved, unencrypted, to UDP port 53 (DNS).  If a content filter is going to really get the job done, it should, absolutely, include this in packet dropping.  So if the user enters facebook.com into the blocked URL list, the background software should drop or redirect any packets destined to UDP port 53, with facebook.com in the header data.  Not only is this not hard to accomplish programmatically, it is seen in many enterprise hardware and software products.

    I do, however, agree that setting up a DNS black hole is one of best ways to block a website on all ports.  It’s a shame that the RV042 doesn’t support restricting UDP 53 to specified addresses.  If a BYOD connects to the network, they can change their DNS and get right through.

 

  -- Mike

joejsullivan
Beginner

I'm sure you guys have figured this out by now. One way to block a site like Facebook or Google via HTTPS is using the access rules. It's not ideal, the IP address can always change. If you run your own DNS make it point to something else like 127.0.0.1 or whatever. You guys are network people, point it wherever you like.

Joe

That work for a simple network with one IP, But suppose you want to block google drive and no other Google services, any idea?.

 

nslookup drive.google.com  gives different IPs and also shares a range of IPs with other services.

 

very disappointed with this RV routers, my old dlink give me more features that this expensive buggy routers forgive me, I needed to de-stress.

RV042 :(

 

My "access rule" in Firewall:

 

Action = Deny

Services = HTTPS:443

Source Interface = LAN

Source = Any

Destination = [ IP of my RV042 ]

Time = Always

 

This rule does not work when access on browser with https://[ IP of my RV042 ]

 

If rules with HTTP:80, its Ok. :)

But, if rule with HTTPS:443, does'n work. :(

 

Why?